Enable OAuth PKCE Extension (#31129)

2024-07-26 10:53:10 +02:00 · 2024-07-26 10:53:10 +02:00 · 693d9b03ed
commit 693d9b03ed
parent 3793c845c9
10 changed files with 164 additions and 6 deletions
--- a/app/lib/oauth_pre_authorization_extension.rb
+++ b/app/lib/oauth_pre_authorization_extension.rb
@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module OauthPreAuthorizationExtension
+  extend ActiveSupport::Concern
+
+  included do
+    validate :code_challenge_method_s256, error: Doorkeeper::Errors::InvalidCodeChallengeMethod
+  end
+
+  def validate_code_challenge_method_s256
+    code_challenge.blank? || code_challenge_method == 'S256'
+  end
+end
--- a/app/presenters/oauth_metadata_presenter.rb
+++ b/app/presenters/oauth_metadata_presenter.rb
@ -7,6 +7,7 @@ class OauthMetadataPresenter < ActiveModelSerializers::Model
             :revocation_endpoint, :scopes_supported,
             :response_types_supported, :response_modes_supported,
             :grant_types_supported, :token_endpoint_auth_methods_supported,
+             :code_challenge_methods_supported,
             :service_documentation, :app_registration_endpoint

  def issuer
@ -59,6 +60,10 @@ class OauthMetadataPresenter < ActiveModelSerializers::Model
    %w(client_secret_basic client_secret_post)
  end

+  def code_challenge_methods_supported
+    %w(S256)
+  end
+
  private

  def doorkeeper
--- a/app/serializers/oauth_metadata_serializer.rb
+++ b/app/serializers/oauth_metadata_serializer.rb
@ -5,5 +5,6 @@ class OauthMetadataSerializer < ActiveModel::Serializer
             :revocation_endpoint, :scopes_supported,
             :response_types_supported, :response_modes_supported,
             :grant_types_supported, :token_endpoint_auth_methods_supported,
+             :code_challenge_methods_supported,
             :service_documentation, :app_registration_endpoint
 end
--- a/app/views/oauth/authorizations/new.html.haml
+++ b/app/views/oauth/authorizations/new.html.haml
@ -26,6 +26,8 @@
                            value: @pre_auth.client.uid
        = form.hidden_field :redirect_uri,
                            value: @pre_auth.redirect_uri
+        = form.hidden_field :code_challenge, value: @pre_auth.code_challenge
+        = form.hidden_field :code_challenge_method, value: @pre_auth.code_challenge_method
        = form.hidden_field :state,
                            value: @pre_auth.state
        = form.hidden_field :response_type,
@ -40,6 +42,8 @@
                            value: @pre_auth.client.uid
        = form.hidden_field :redirect_uri,
                            value: @pre_auth.redirect_uri
+        = form.hidden_field :code_challenge, value: @pre_auth.code_challenge
+        = form.hidden_field :code_challenge_method, value: @pre_auth.code_challenge_method
        = form.hidden_field :state,
                            value: @pre_auth.state
        = form.hidden_field :response_type,